txapache Posted July 14, 2011 Share Posted July 14, 2011 I have been at this for a week and have posted on another forum with no luck. I have built a website with admin controls and everything worked on my localhost(home), thinking I was ready to launch uploaded to clients host server and went to test and now I cant log in to the admin area to add or edit the database. Again login and access scripts worked great on home system but not uploaded. I have been back and forth thru the scripts and cannot for the life of me figure it out. Please help i have searched books, google, and post and i know its probrably something crazy. the way it works is from admin it should access the controller which directs to login.php and access.php and then displays my add edit form. here is the codes: Login form: <?php if (isset($loginError)): ?> <p><?php echo htmlout($loginError); ?></p> <?php endif; ?> <form action="" method="post"> <fieldset> <legend>LogIn</legend> <div> <label for="group">Group:</label><input type="text" name="group" id="group"/> </div><div> <label for="email">Email:</label><input type="text" name="email" id="email"/> </div><div> <label for="password">Password:</label><input type="password" name="password" id="password"/> </div> </fieldset> <div> <input type="hidden" name="action" value="login"/> <input type="submit" value="Log in" style="color: #ffffff; background-color: #008000; "/> </div> </form> Access.php <?php function userIsLoggedIn() { if (isset($_POST['action']) and $_POST['action'] == 'login') { if (!isset($_POST['group']) or $_POST['group'] == '' or !isset($_POST['email']) or $_POST['email'] == '' or !isset($_POST['password']) or $_POST['password'] == '') { $GLOBALS['loginError'] = 'Please fill in all fields'; return FALSE; } $password = md5($_POST['password']); if (databaseContainsAgent($_POST['email'], $password, $_POST['group'])) { session_start(); $_SESSION['loggedIn'] = TRUE; $_SESSION['email'] = $_POST['email']; $_SESSION['password'] = $password; $_SESSION['group'] = $_POST['group']; return TRUE; } else { session_start(); unset($_SESSION['loggedIn']); unset($_SESSION['email']); unset($_SESSION['password']); unset($_SESSION['group']); $GLOBALS['loginError'] = 'The specified email address, group or password was incorrect.'; return FALSE; } } if (isset($_POST['action']) and $_POST['action'] == 'logout') { session_start(); unset($_SESSION['loggedIn']); unset($_SESSION['email']); unset($_SESSION['password']); unset($_SESSION['group']); header('Location: ' . $_POST['goto']); exit(); } session_start(); if (isset($_SESSION['loggedIn'])) { return databaseContainsAgent($_SESSION['email'], $_SESSION['password'], $_SESSION['group']); } } function databaseContainsAgent($email, $password) { include 'fsd_db_login.php'; include 'db_inc.php'; $email = mysql_real_escape_string($email); $password = mysql_real_escape_string($password); $sql = "SELECT COUNT(*) FROM agent WHERE email='$email' AND password='$password'"; $result = mysqli_query($link, $sql); if (!$result) { $error = 'Error searching for agent.'; include 'error_html.php'; exit(); } $row = mysqli_fetch_array($result); if ($row[0] > 0) { return TRUE; } else { return FALSE; } } function userHasRole($role) { include 'fsd_db_login.php'; include 'db_inc.php'; $email = mysql_real_escape_string($_SESSION['email']); $group = mysql_real_escape_string($_SESSION['group']); $role = mysql_real_escape_string($role); $sql = "SELECT COUNT(*) FROM agent INNER JOIN agentrole ON agent.id = agentid INNER JOIN role ON roleid = role.id WHERE email = '$email' AND role.id='$role'"; $result = mysqli_query($link, $sql); if (!$result) { $error = 'Error searching for agent roles.'; include 'error_html.php'; exit(); } $row = mysqli_fetch_array($result); if ($row[0] > 0) { return TRUE; } else { return FALSE; } } ?> Quote Link to comment Share on other sites More sharing options...
Psycho Posted July 14, 2011 Share Posted July 14, 2011 What errors do you get? You should always have error handling in your code to provide error messages when authentication fails. Based upon the error you should know the area of the failure if not the exact failure. You haven't provided any details of what errors were encountered so trying to debug your code is just a shot in the dark. Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted July 14, 2011 Share Posted July 14, 2011 I have serious doubts that your code really works on your local system, because you are using both mysql and mysqli functions within the code performing each query. For your code to work correctly, that would imply that you have both a mysql and mysqli connection. Are you developing and debugging your code on a system (both your local development system and the live server) with error_reporting set to E_ALL and display_errors set to ON so that php would report and display all the errors it finds? Quote Link to comment Share on other sites More sharing options...
txapache Posted July 14, 2011 Author Share Posted July 14, 2011 Thanks for the response, I should have mentioned. When I try and log-in to the live admin I fill out the log-in form and hit submit and the form goes blank rather than to the add edit form. On my local host it sends me to the add edit admin area where I can change prices, add other companies ect. I realize that there is mysql and mysqli both in the same code but it does in fact access the db. Smae with the live version there is the public area that access the database and returns results, but for the admin so that I can give others access to add and edit it will not process. I do not get any error messages and I checked the error log on the server and ther is nothing there. Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted July 14, 2011 Share Posted July 14, 2011 Without all the relevant code (you didn't post the form processing code, where the problem is most likely at), no one here can really help you with what your code is doing. What have you done to troubleshoot and find what execution path your code is taking? For all we know, you don't have a database entry with the admin's information in it. Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted July 14, 2011 Share Posted July 14, 2011 You also need to correct your usage of the two different database connections. Besides consuming two available connections in each invocation of your script, you are leaving yourself open to sql injection because the character encoding might be different between the mysql and the mysqli connection and your usage of mysql_real_escape_string (on the mysql connection) might permit sql to be injected on the query being performed over the mysqli connection. Quote Link to comment Share on other sites More sharing options...
txapache Posted July 14, 2011 Author Share Posted July 14, 2011 I will switch the mysgli to mysql on the code as far as the log-in form, login.php and access.php are includes in the controller.php. Once logged in and verified the controller.php then displays the html admin form. I apologoze, this is my third website and 2nd attempt with php. I'm not a NOOB, i'm a newborn. I do alot of reading and attempts. Quote Link to comment Share on other sites More sharing options...
txapache Posted July 15, 2011 Author Share Posted July 15, 2011 :shrug:Ok, I believe that I fixed the code with just mysqli thruout. Still getting same things though, no error messages, and no admin login just a screen refresh with a blank login form. Again, it is working on my local host. I checked the uploaded database and all is correct same tables with all columns filled out. Thing is on the log-in form even if I leave a box empty i should get error message to fill it in and I don't. Here is all three codes, the controller that processes and calls the login script and access script. Controller: <?php include_once 'magicquotes_inc.php'; require_once 'access.php'; if (!userIsLoggedIn()) { include 'login.php'; exit(); } if (!userHasRole('Editor')) { $error = 'Only Account Editors may access this page.'; include 'accessdenied.php'; exit(); } // Add mover if (isset($_GET['add'])) { $pagetitle = 'New Mover'; $action = 'addform'; $agentgroup = ''; $company = ''; $address = ''; $city = ''; $county = ''; $state = ''; $zipcode = ''; $phone = ''; $poc = ''; $email = ''; $url = ''; $logo = ''; $price_10x10 = ''; $price_10x15 = ''; $price_10x20 = ''; $price_10x30 = ''; $coupon = ''; $box_coupon_1 = ''; $box_coupon_2 = ''; $box_coupon_3= ''; $box_coupon_4 = ''; $box_coupon_5 = ''; $id = ''; $button = 'Add Mover'; //Build the list of coupons $sql = "SELECT id, filename FROM coupon"; $result = mysqli_query($link, $sql); if (!$result) { $error = 'Error fetching list of coupons.'; include 'error_html.php'; exit(); } while ($row = mysqli_fetch_array($result)) { $coupons[] = array('id' => $row['id'], 'filename' => $row['filename']); } //Build the list of box coupons $sql = "SELECT id, filename FROM boxcoupon"; $result = mysqli_query($link, $sql); if (!$result) { $error = 'Error fetching list of box coupons.'; include 'error_html.php'; exit(); } while ($row = mysqli_fetch_array($result)) { $boxcoupons[] = array('id' => $row['id'], 'filename' => $row['filename']); } include 'mover_form.php'; exit(); } if (isset($_GET['addform'])) { include 'db_inc.php'; //This is the directory where logos will be saved $target = "images/movers/"; $target = $target . basename($_FILES['logo']['name']); $agentgroup = mysqli_real_escape_string($link, $_POST['agentgroup']); $company = mysqli_real_escape_string($link, $_POST['company']); $address = mysqli_real_escape_string($link, $_POST['address']); $city = mysqli_real_escape_string($link, $_POST['city']); $county = mysqli_real_escape_string($link, $_POST['county']); $state = mysqli_real_escape_string($link, $_POST['state']); $zipcode = mysqli_real_escape_string($link, $_POST['zipcode']); $phone = mysqli_real_escape_string($link, $_POST['phone']); $poc = mysqli_real_escape_string($link, $_POST['poc']); $email = mysqli_real_escape_string($link, $_POST['email']); $url = mysqli_real_escape_string($link, $_POST['url']); $logo = mysqli_real_escape_string($link, $_FILE['logo']['name']); $price_10x10 = mysqli_real_escape_string($link, $_POST['price_10x10']); $price_10x15 = mysqli_real_escape_string($link, $_POST['price_10x15']); $price_10x20 = mysqli_real_escape_string($link, $_POST['price_10x20']); $price_10x30 = mysqli_real_escape_string($link, $_POST['price_10x30']); $coupon = mysqli_real_escape_string($link, $_POST['coupon']); $box_coupon_1 = mysqli_real_escape_string($link, $_POST['box_coupon_1']); $box_coupon_2 = mysqli_real_escape_string($link, $_POST['box_coupon_2']); $box_coupon_3 = mysqli_real_escape_string($link, $_POST['box_coupon_3']); $box_coupon_4 = mysqli_real_escape_string($link, $_POST['box_coupon_4']); $box_coupon_5 = mysqli_real_escape_string($link, $_POST['box_coupon_5']); if ($coupon == '') { $error = 'You must choose a coupon for this storage_unit. Click ‘back’ and try again.'; include 'error_html.php'; exit(); } $sql = "INSERT INTO mover SET agentgroup = '$agentgroup', company = '$company', address = '$address', city = '$city', county = '$county', state = '$state', zipcode = '$zipcode', phone = '$phone', poc = '$poc', email = '$email', url = '$url', logo = '$logo', price_10x10 = '$price_10x10', price_10x15 = '$price_10x15', price_10x20 = '$price_10x20', price_10x30 = '$price_10x30', coupon = '$coupon', box_coupon_1 = '$box_coupon_1', box_coupon_2 = '$box_coupon_2', box_coupon_3 = '$box_coupon_3', box_coupon_4 = '$box_coupon_4', box_coupon_5 = '$box_coupon_5'"; //Writes the logo to the server if(!mover_uploaded_file($_FILES['logo']['tmp_name'], $target)) { //Tells you its ok $error = 'Sorry, there was a problem uploading your file.'; include 'error_html.php'; exit(); } if (!mysqli_query($sql)) { $error = 'Error adding submitted mover.'; include 'error_html.php'; exit(); } header('Location: admin.html'); } // Edit Mover if (isset($_POST['action']) and $_POST['action'] == Edit) { //include 'fsd_db_login.php'; include 'db_inc.php'; $id = mysqli_real_escape_string($link, $_POST['id']);// Fetch records to update $sql = "SELECT id, agentgroup, company, address, city, county, state, zipcode, phone, poc, email, url, logo, price_10x10, price_10x15, price_10x20, price_10x30, coupon, box_coupon_1, box_coupon_2, box_coupon_3, box_coupon_4, box_coupon_5 FROM mover WHERE id='$id'"; $result = mysqli_query($link, $sql); if (!$result) { $error = 'Error fetching mover details.'; include 'error_html.php'; exit(); } $row = mysqli_fetch_array($result); $pagetitle = 'Edit Mover'; $action = 'editform'; $agentgroup = $row['agentgroup']; $company = $row['company']; $address = $row['address']; $city = $row['city']; $county = $row['county']; $state = $row['state']; $zipcode = $row['zipcode']; $phone = $row['phone']; $poc = $row['poc']; $email = $row['email']; $url = $row['url']; $logo = $row['logo']; $price_10x10 = $row['price_10x10']; $price_10x15 = $row['price_10x15']; $price_10x20 = $row['price_10x20']; $price_10x30 = $row['price_10x30']; $coupon = $row['coupon']; $box_coupon_1 = $row['box_coupon_1']; $box_coupon_2 = $row['box_coupon_2']; $box_coupon_3 = $row['box_coupon_3']; $box_coupon_4 = $row['box_coupon_4']; $box_coupon_5 = $row['box_coupon_5']; $id = $row['id']; $button = 'Update Mover'; //Build the list of coupons $sql = "SELECT id, filename FROM coupon"; $result = mysqli_query($link, $sql); if (!$result) { $error = 'Error fetching list of coupons.'; include 'error_html.php'; exit(); } while ($row = mysqli_fetch_array($result)) { $coupons[] = array('id' => $row['id'], 'filename' => $row['filename']); } //Build the list of box coupons $sql = "SELECT id, filename FROM boxcoupon"; $result = mysqli_query($link, $sql); if (!$result) { $error = 'Error fetching list of box coupons.'; include 'error_html.php'; exit(); } while ($row = mysqli_fetch_array($result)) { $boxcoupons[] = array('id' => $row['id'], 'filename' => $row['filename']); } include 'mover_form.php'; exit(); } if (isset($_GET['editform'])) { include 'db_inc.php'; $id = mysqli_real_escape_string($link, $_POST['id']); $agentgroup = mysqli_real_escape_string($link, $_POST['agentgroup']); $company = mysqli_real_escape_string($link, $_POST['company']); $address = mysqli_real_escape_string($link, $_POST['address']); $city = mysqli_real_escape_string($link, $_POST['city']); $county = mysqli_real_escape_string($link, $_POST['county']); $state = mysqli_real_escape_string($link, $_POST['state']); $zipcode = mysqli_real_escape_string($link, $_POST['zipcode']); $phone = mysqli_real_escape_string($link, $_POST['phone']); $poc = mysqli_real_escape_string($link, $_POST['poc']); $email = mysqli_real_escape_string($link, $_POST['email']); $url = mysqli_real_escape_string($link, $_POST['url']); $logo = mysqli_real_escape_string($link, $_POST['logo']); $price_10x10 = mysqli_real_escape_string($link, $_POST['price_10x10']); $price_10x15 = mysqli_real_escape_string($link, $_POST['price_10x15']); $price_10x20 = mysqli_real_escape_string($link, $_POST['price_10x20']); $price_10x30 = mysqli_real_escape_string($link, $_POST['price_10x30']); $coupon = mysqli_real_escape_string($link, $_POST['coupon']); $box_coupon_1 = mysqli_real_escape_string($link, $_POST['box_coupon_1']); $box_coupon_2 = mysqli_real_escape_string($link, $_POST['box_coupon_2']); $box_coupon_3 = mysqli_real_escape_string($link, $_POST['box_coupon_3']); $box_coupon_4 = mysqli_real_escape_string($link, $_POST['box_coupon_4']); $box_coupon_5 = mysqli_real_escape_string($link, $_POST['box_coupon_5']); if ($coupon == '') { $error = 'You must choose a coupon for this storage_unit. Click ‘back’ and try again.'; include 'error_html.php'; exit(); } $sql = "UPDATE mover SET agentgroup = '$agentgroup', company = '$company', address = '$address', city = '$city', county = '$county', state = '$state', zipcode = '$zipcode', phone = '$phone', poc = '$poc', email = '$email', url = '$url', logo = '$logo', price_10x10 = '$price_10x10', price_10x15 = '$price_10x15', price_10x20 = '$price_10x20', price_10x30 = '$price_10x30', coupon = '$coupon', box_coupon_1 = '$box_coupon_1', box_coupon_2 = '$box_coupon_2', box_coupon_3 = '$box_coupon_3', box_coupon_4 = '$box_coupon_4', box_coupon_5 = '$box_coupon_5' WHERE id = '$id'"; if (!mysqli_query($link, $sql)) { $error = 'Error updating submitted mover.' . mysqli_error($link); include 'error_html.php'; exit(); } header('Location: admin.html');//redirect browser to admin page } // Delete mover if (isset($_POST['action']) and $_POST['action'] == 'Delete') { include 'db_inc.php'; $id = mysqli_real_escape_string($link, $_POST['id']); //Delete Mover $sql = "DELETE from mover WHERE id='$id'"; if (!mysqli_query($link, $sql)) { $error = 'Error deleting mover.'; include 'error_html.php'; exit(); } header('Location: admin.html');//redirect browser to admin page exit(); } // Display agent list include 'db_inc.php'; $result = mysqli_query($link, "SELECT * FROM mover WHERE agentgroup like '%$_SESSION[group]%' "); if (!$result) { $error = 'ERROR fetching movers from database!'; include 'error_html.php'; exit(); } while ($row = mysqli_fetch_array($result)) { $movers[] = array('id' => $row['id'], 'company' => $row['company']); } include 'mover_list.php'; ?> Access: <?php function userIsLoggedIn() { if (isset($_POST['action']) and $_POST['action'] == 'login') { if (!isset($_POST['group']) or $_POST['group'] == '' or !isset($_POST['email']) or $_POST['email'] == '' or !isset($_POST['password']) or $_POST['password'] == '') { $GLOBALS['loginError'] = 'Please fill in all fields'; return FALSE; } $password = md5($_POST['password']); if (databaseContainsAgent($_POST['email'], $password, $_POST['group'])) { session_start(); $_SESSION['loggedIn'] = TRUE; $_SESSION['group'] = $_POST['group']; $_SESSION['email'] = $_POST['email']; $_SESSION['password'] = $password; return TRUE; } else { session_start(); unset($_SESSION['loggedIn']); unset($_SESSION['group']); unset($_SESSION['email']); unset($_SESSION['password']); $GLOBALS['loginError'] = 'The specified group, email address, or password was incorrect.'; return FALSE; } } if (isset($_POST['action']) and $_POST['action'] == 'logout') { session_start(); unset($_SESSION['loggedIn']); unset($_SESSION['group']); unset($_SESSION['email']); unset($_SESSION['password']); header('Location: ' . $_POST['goto']); exit(); } session_start(); if (isset($_SESSION['loggedIn'])) { return databaseContainsAgent($_SESSION['group'], $_SESSION['email'], $_SESSION['password']); } } function databaseContainsAgent($group, $email, $password) { include 'db_inc.php'; $group = mysqli_real_escape_string($link, $group); $email = mysqli_real_escape_string($link, $email); $password = mysqli_real_escape_string($link, $password); $sql = "SELECT COUNT(*) FROM agent WHERE email='$email' AND password='$password'"; $result = mysqli_query($link, $sql); if (!$result) { $error = 'Error searching for agent.'; include 'error_html.php'; exit(); } $row = mysqli_fetch_array($result); if ($row[0] > 0) { return TRUE; } else { return FALSE; } } function userHasRole($role) { include 'db_inc.php'; $group = mysqli_real_escape_string($link, $_SESSION['group']); $email = mysqli_real_escape_string($link, $_SESSION['email']); $role = mysqli_real_escape_string($link, $role); $sql = "SELECT COUNT(*) FROM agent INNER JOIN agentrole ON agent.id = agentid INNER JOIN role ON roleid = role.id WHERE email = '$email' AND role.id='$role'"; $result = mysqli_query($link, $sql); if (!$result) { $error = 'Error searching for agent roles.'; include 'error_html.php'; exit(); } $row = mysqli_fetch_array($result); if ($row[0] > 0) { return TRUE; } else { return FALSE; } } ?> Login: <?php if (isset($loginError)): ?> <p><?php echo htmlout($loginError); ?></p> <?php endif; ?> <form action="" method="post"> <fieldset> <legend>LogIn</legend> <div> <label for="group">Group:</label><input type="text" name="group" id="group"/> </div><div> <label for="email">Email:</label><input type="text" name="email" id="email"/> </div><div> <label for="password">Password:</label><input type="password" name="password" id="password"/> </div> </fieldset> <div> <input type="hidden" name="action" value="login"/> <input type="submit" value="Log in" style="color: #ffffff; background-color: #008000; "/> </div> </form> Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted July 15, 2011 Share Posted July 15, 2011 include_once 'magicquotes_inc.php'; ^^^ It's likely that your magicquotes_inc.php code is wiping out your $_POST data, so the rest of the logic that is testing for $_POST variables is false and is skipping over the code. Did you ever turn on the error_reporting/display_errors settings as was suggested - Are you developing and debugging your code on a system (both your local development system and the live server) with error_reporting set to E_ALL and display_errors set to ON so that php would report and display all the errors it finds? Quote Link to comment Share on other sites More sharing options...
txapache Posted July 15, 2011 Author Share Posted July 15, 2011 I checked the error log and nothing was there, Where would I check to see if on or off? I will try without magicquotes? Quote Link to comment Share on other sites More sharing options...
txapache Posted July 15, 2011 Author Share Posted July 15, 2011 Still not connecting but with magicquotes taken out the login processes and I get an error message: Error searching for agent. Apparently the magicquotes was blocking the login, now I feel like I am making progress after a week. Thanks. Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted July 16, 2011 Share Posted July 16, 2011 Since your code is running (no fatal parse errors), add the following two lines of code immediately after the first opening <?php tag on the main page - ini_set("display_errors", "1"); error_reporting(-1); You should probably troubleshoot why your magicquotes_inc.php code is not working (it's probably related to not having a database connection.) Quote Link to comment Share on other sites More sharing options...
txapache Posted July 17, 2011 Author Share Posted July 17, 2011 :D :DAdmin Log-in works, I appreciate the help/assistance on this. Not sure what the 2 lines of code truely mean but I did place them. I guess they are the ones given the errors at the top of the page. Atleast that helps me to know where to look to figure it out. Sometimes the page just showes blank? But thats another topic. This one is closed Thanks. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.